Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #294

Re: wpad.dat attack on Linux Apache server

From Sandman <mr@sandman.net>
Newsgroups comp.os.linux.networking, comp.os.linux.security, comp.infosystems.www.servers.unix
Subject Re: wpad.dat attack on Linux Apache server
Date 2013-05-24 14:49 +0200
Message-ID <mr-276591.14494824052013@News.Individual.NET> (permalink)
References <mr-983E88.11221424052013@News.Individual.NET>

Cross-posted to 3 groups.

Show all headers | View raw

In article <mr-983E88.11221424052013@News.Individual.NET>,
 Sandman <mr@sandman.net> wrote:

> I don't actually know if it's an attack.

85.24.167.69 MY_IP - [24/May/2013:14:24:33 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "-"
83.233.16.50 MY_IP - [24/May/2013:14:24:33 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "-"
88.83.39.117 cluster.mydomain.com - [24/May/2013:14:24:34 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Win64; Trident/6.0)"
88.83.39.117 cluster.mydomain.com - [24/May/2013:14:24:34 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Win64; Trident/6.0)"
88.83.39.117 cluster.mydomain.com - [24/May/2013:14:24:34 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Win64; Trident/6.0)"

Above are five sample rows (from thousands) on the server.

The log format I'm using is putting the vhost in the second column, so you see that the two first requests are to my IP, and the second three are to cluster.mydomain.com <- The hostname where my clients point their CNAME subdomains

The ones that access the IP has no agent string (consistently) and the ones that access cluster.mydomain.com does.

I also have these:

46.59.81.183 wpad - [24/May/2013:14:24:34 +0200] "GET /wpad.dat HTTP/1.1" 200 70 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36"


I.e. accesses to the vhost "wpad", which is odd - becuase that's not the name of a vhost, nor is it a qualified domain name unless you're on a local network (right?) Is that a clue that some network out there thinks I am part of their local network?

And, as you can see - one IP above made three identical requests (which it got a 200 reponse to) three times in one second. I have more lika that with fvive, six or seven conescutive times and so on.


How do I block this?? :)



-- 
Sandman[.net]

Back to comp.os.linux.security | Previous | NextPrevious in thread | Find similar

Thread

wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:22 +0200
  Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 10:37 +0100
    Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:44 +0200
      Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:04 +0100
        Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:13 +0200
          Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:20 +0100
            Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:23 +0200
              Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 11:07 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:43 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 13:05 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 15:14 +0200
                Re: wpad.dat attack on Linux Apache server Joe Beanfish <joebeanfish@nospam.duh> - 2013-05-24 13:39 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:23 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 15:13 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:26 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 17:38 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 19:02 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 18:45 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:12 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 16:47 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 18:53 +0200
                Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 17:15 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:20 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:45 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 09:54 +0200
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 10:04 +0200
                Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-26 10:12 +0000
                Re: wpad.dat attack on Linux Apache server "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-05-24 13:50 -0400
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:10 +0100
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:15 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:33 +0200
                Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:38 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:25 +0200
                Re: wpad.dat attack on Linux Apache server Whiskers <catwheezel@operamail.com> - 2013-05-25 15:52 +0100
                Re: wpad.dat attack on Linux Apache server Roger <invalid@invalid.invalid> - 2013-05-25 17:19 +0100
                Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-25 17:22 +0000
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 19:41 +0200
              Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 12:31 +0100
                Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:29 +0200
                Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 23:45 +0100
  Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:49 +0200

csiph-web